feat: +AZ-PRM-1

hosts/AZ-PRM-1/configuration.nix

@@ -1,6 +1,3 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page, on
-# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 {
   config,
   lib,
@@ -8,86 +5,30 @@
   ...
 }: {
   imports = [
-    # Include the results of the hardware scan.
     ./hardware-configuration.nix
     ./disko-config.nix
   ];
 
-  boot.loader.grub = {
-    efiSupport = true;
-    efiInstallAsRemovable = true;
-  };
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
 
-  networking.hostName = "AZ-CLD-1"; # Define your hostname.
-  # Pick only one of the below networking options.
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-  networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
+  networking.hostName = "AZ-PRM-1";
+  networking.networkmanager.enable = true;
 
-  # Set your time zone.
   time.timeZone = "Europe/Berlin";
 
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-
-  # Select internationalisation properties.
   i18n.defaultLocale = "de_DE.UTF-8";
-  # console = {
-  #   font = "Lat2-Terminus16";
-  #   keyMap = "us";
-  #   useXkbConfig = true; # use xkb.options in tty.
-  # };
 
-  # Enable the X11 windowing system.
-  # services.xserver.enable = true;
-
-  # Configure keymap in X11
-  # services.xserver.xkb.layout = "us";
-  # services.xserver.xkb.options = "eurosign:e,caps:escape";
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # Enable sound.
-  # services.pulseaudio.enable = true;
-  # OR
-  # services.pipewire = {
-  #   enable = true;
-  #   pulse.enable = true;
-  # };
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.libinput.enable = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  # users.users.alice = {
-  #   isNormalUser = true;
-  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-  #   packages = with pkgs; [
-  #     tree
-  #   ];
-  # };
-
-  # programs.firefox.enable = true;
-
-  # List packages installed in system profile.
-  # You can use https://search.nixos.org/ to find more packages (and options).
-  environment.systemPackages = with pkgs; [
-    neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
-    git
+  environment.systemPackages = [
+    pkgs.neovim
+    pkgs.git
   ];
 
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
   };
 
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
   services.openssh = {
     enable = true;
     ports = [2022];
@@ -97,33 +38,7 @@
     };
   };
 
-  # Open ports in the firewall.
   networking.firewall.allowedTCPPorts = [587];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
 
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  # system.copySystemConfiguration = true;
-
-  # This option defines the first version of NixOS you have installed on this particular machine,
-  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
-  #
-  # Most users should NEVER change this value after the initial install, for any reason,
-  # even if you've upgraded your system to a new NixOS release.
-  #
-  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
-  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
-  # to actually do that.
-  #
-  # This value being lower than the current NixOS release does NOT mean your system is
-  # out of date, out of support, or vulnerable.
-  #
-  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
-  # and migrated your data accordingly.
-  #
-  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
-  system.stateVersion = "25.05"; # Did you read the comment?
+  system.stateVersion = "25.05";
 }

hosts/AZ-PRM-1/disko-config.nix

@@ -3,15 +3,10 @@
     disk = {
       main = {
         type = "disk";
-        device = "/dev/vda"; # CHANGE ME
+        device = "/dev/sda";
         content = {
           type = "gpt";
           partitions = {
-            boot = {
-              size = "1M";
-              type = "EF02"; # for GRUB MBR
-              priority = 1;
-            };
             esp = {
               size = "512M";
               type = "EF00";

hosts/AZ-PRM-1/hardware-configuration.nix

@@ -1,28 +1,17 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 {
   config,
   lib,
   pkgs,
-  modulesPath,
   ...
 }: {
-  imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
-  ];
+  virtualisation.hypervGuest.enable = true;
 
-  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+  boot.initrd.availableKernelModules = ["sd_mod" "sr_mod" "hv_storvsc"];
   boot.initrd.kernelModules = [];
   boot.kernelModules = [];
   boot.extraModulePackages = [];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }

hosts/AZ-PRM-1/secrets.nix

@@ -4,36 +4,25 @@
       traefik-env = {
         file = ../../secrets/traefik-env.age;
       };
-      baserow-db = {
-        file = ../../secrets/baserow-db.age;
-      };
-      kestra-db = {
-        file = ../../secrets/kestra-db.age;
-      };
       n8n-env = {
         file = ../../secrets/n8n-env.age;
       };
-      n8n-db = {
-        file = ../../secrets/n8n-db.age;
+      pgadmin-pw = {
+        file = ../../secrets/pgadmin-pw.age;
+        owner = "pgadmin";
       };
       pg-cert = {
         file = ../../secrets/server.crt.age;
-        owner = "root";
+        owner = "postgres";
         group = "postgres";
-        mode = "0640";
+        mode = "0644";
       };
       pg-key = {
         file = ../../secrets/server.key.age;
-        owner = "root";
+        owner = "postgres";
         group = "postgres";
         mode = "0600";
       };
-      vaultwarden-env = {
-        file = ../../secrets/vaultwarden-env.age;
-      };
-      vaultwarden-db = {
-        file = ../../secrets/vaultwarden-db.age;
-      };
     };
   };
 }

hosts/AZ-PRM-1/services/containers/default.nix

@@ -1,6 +1,15 @@
-{
+{lib, ...}: {
   imports = [
     #./baserow.nix
-    #./kestra.nix
+    # ./kestra.nix
+    ./stirling-pdf.nix
   ];
+  system.activationScripts.createPodmanNetworkWeb = lib.mkAfter ''
+    if ! /run/current-system/sw/bin/podman network exists web; then
+      /run/current-system/sw/bin/podman network create web --subnet=10.89.0.0/24 --internal
+    fi
+    if ! /run/current-system/sw/bin/podman network exists web-dev; then
+      /run/current-system/sw/bin/podman network create web-dev --subnet=10.89.1.0/24 --internal
+    fi
+  '';
 }

hosts/AZ-PRM-1/services/containers/kestra.nix

@@ -23,7 +23,7 @@
     services.kestra.loadBalancer.servers = [{url = "http://localhost:3031/";}];
 
     routers.kestra = {
-      rule = "Host(`k.i.az-intec.com`)";
+      rule = "Host(`k.l.az-gruppe.com`)";
       tls = {certResolver = "ionos";};
       service = "kestra";
       entrypoints = "websecure";

hosts/AZ-PRM-1/services/containers/stirling-pdf.nix

@@ -0,0 +1,27 @@
+{...}: {
+  virtualisation.oci-containers.containers."stirling-pdf" = {
+    image = "docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest-fat";
+    ports = ["127.0.0.1:3032:8080"];
+    environment = {
+      SECURITY_ENABLELOGIN = "False";
+      DISABLE_ADDITIONAL_FEATURES = "False";
+    };
+
+    volumes = [
+      "stirling_pdf_data:/usr/share/tessdata"
+      "stirling_pdf_configs:/configs"
+    ];
+    extraOptions = ["--ip=10.89.0.13" "--network=web"];
+  };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.stirling-pdf.loadBalancer.servers = [{url = "http://localhost:3032/";}];
+
+    routers.stirling-pdf = {
+      rule = "Host(`pdf.l.az-gruppe.com`)";
+      tls = {certResolver = "ionos";};
+      service = "stirling-pdf";
+      entrypoints = "websecure";
+    };
+  };
+}

hosts/AZ-PRM-1/services/default.nix

@@ -1,7 +1,28 @@
 {
   imports = [
-    # ./n8n.nix
+    ./containers
+
+    ./n8n.nix
+    ./pgadmin.nix
     ./postgres.nix
-    # ./traefik.nix
+    ./traefik.nix
   ];
+  services.traefik.dynamicConfigOptions.http = {
+    services.ptrg.loadBalancer.servers = [{url = "http://192.168.152.102:7784/";}];
+
+    routers.prtg = {
+      rule = "Host(`m.l.az-gruppe.com`)";
+      tls = {certResolver = "ionos";};
+      service = "ptrg";
+      entrypoints = "websecure";
+    };
+
+    services.AZHA.loadBalancer.servers = [{url = "http://192.168.153.194:8123/";}];
+    routers.AZHA = {
+      rule = "Host(`ha.l.az-gruppe.com`)";
+      tls = {certResolver = "ionos";};
+      service = "AZHA";
+      entrypoints = "websecure";
+    };
+  };
 }

hosts/AZ-PRM-1/services/n8n.nix

@@ -1,7 +1,7 @@
 {config, ...}: {
   services.n8n = {
     enable = true;
-    environment.WEBHOOK_URL = "https://wf.az-group.com";
+    environment.WEBHOOK_URL = "https://wf.l.az-gruppe.com";
   };
   systemd.services.n8n.serviceConfig = {
     EnvironmentFile = ["${config.age.secrets.n8n-env.path}"];

hosts/AZ-PRM-1/services/pgadmin.nix

@@ -0,0 +1,18 @@
+{config, ...}: {
+  services.pgadmin = {
+    enable = true;
+    initialPasswordFile = "${config.age.secrets.pgadmin-pw.path}";
+    initialEmail = "sascha.koenig@azintec.com";
+  };
+
+  # Traefik configuration specific to baserow
+  services.traefik.dynamicConfigOptions.http = {
+    services.pgadmin.loadBalancer.servers = [{url = "http://localhost:5050/";}];
+    routers.pgadmin = {
+      rule = "Host(`pg.l.az-gruppe.com`)";
+      tls.certResolver = "ionos";
+      service = "pgadmin";
+      entrypoints = "websecure";
+    };
+  };
+}

hosts/AZ-PRM-1/services/postgres.nix

@@ -36,7 +36,6 @@
       # Local connections (Unix socket)
       local   all         postgres    peer
       local   n8n         n8n         scram-sha-256
-      local   vaultwarden vaultwarden scram-sha-256
 
       # Localhost connections (IPv4 and IPv6)
       host    all          postgres     127.0.0.1/32    scram-sha-256
@@ -45,9 +44,6 @@
       host    n8n          n8n          127.0.0.1/32    scram-sha-256
       host    n8n          n8n          ::1/128         scram-sha-256
 
-      host    vaultwarden  vaultwarden  127.0.0.1/32    scram-sha-256
-      host    vaultwarden  vaultwarden  ::1/128         scram-sha-256
-
       # Podman network connections
       host    baserow      baserow      10.89.0.0/24    scram-sha-256
       host    kestra       kestra       10.89.0.0/24    scram-sha-256
@@ -61,7 +57,7 @@
   services.postgresqlBackup = {
     enable = true;
     startAt = "03:10:00";
-    databases = ["baserow" "kestra" "n8n" "vaultwarden"];
+    databases = ["baserow" "kestra" "n8n"];
   };
   networking.firewall = {
     extraCommands = ''

hosts/AZ-PRM-1/services/traefik.nix

@@ -31,6 +31,15 @@
         };
         websecure = {
           address = ":443";
+          http.tls = {
+            certResolver = "ionos";
+            domains = [
+              {
+                main = "l.az-gruppe.com";
+                sans = ["*.l.az-gruppe.com"];
+              }
+            ];
+          };
         };
       };
     };
@@ -39,7 +48,7 @@
         services = {
           dummy = {
             loadBalancer.servers = [
-              {url = "http://192.168.0.1";} # Diese URL wird nie verwendet
+              {url = "http://192.168.0.1";}
             ];
           };
         };
@@ -50,15 +59,20 @@
             };
           };
         };
-
         routers = {
           api = {
-            rule = "Host(`r.az-gruppe.com`)";
+            rule = "Host(`r.l.az-gruppe.com`)";
             service = "api@internal";
             middlewares = ["auth"];
             entrypoints = ["websecure"];
             tls = {
               certResolver = "ionos";
+              domains = [
+                {
+                  main = "l.az-gruppe.com";
+                  sans = ["*.l.az-gruppe.com"];
+                }
+              ];
             };
           };
         };

hosts/AZLT124-L/default.nix

@@ -44,7 +44,10 @@
   # Configure Home Manager with unstable
   home-manager = {
     useUserPackages = true;
-    extraSpecialArgs = {inherit inputs outputs;};
+    extraSpecialArgs = {
+      inherit inputs outputs;
+      system = "x86_64-linux";
+    };
     users."sascha.koenig" = import ../../home/users/sascha.koenig/AZLT124-L.nix;
   };
 

hosts/common/default.nix

@@ -5,6 +5,7 @@
   lib,
   inputs,
   outputs,
+  system,
   ...
 }: {
   imports = [
@@ -16,7 +17,7 @@
   home-manager = {
     useUserPackages = true;
     extraSpecialArgs = {
-      inherit inputs outputs;
+      inherit inputs outputs system;
     };
   };
   nixpkgs = {
@@ -29,6 +30,8 @@
 
       inputs.nur.overlays.default
       inputs.m3ta-nixpkgs.overlays.default
+
+      (outputs.lib.mkLlmAgentsOverlay system)
       # You can also add overlays exported from other flakes:
       # neovim-nightly-overlay.overlays.default